Topic: [POOL][Scrypt][Scrypt-N][X11] Profit switching pool - wafflepool.com - page 141. (Read 465668 times)

I dont work for them and dont want to get flamed by all the silly noobs on this site.

But it is GAWMiners     Look them up if you want. They have been offering free hosting..   I got a 20 pack yesterday during the day, and was up and hashing last night

Is this some sort of gridseed deal or are you just able to stick them into a works server room?
Thanks
Miles

ummmmm  How about you read the 25 post before this one???  before you open your mouth..

I never suggested anyone infiltrated your systems with a trojan, and to rush to judgment that nothing else can be responsible other than a dns hijack, is a leap using poor reasoning.

Google "stratum client.reconnect", and notice that even if ip addresses are hard coded, you could still be vulnerable to this potential attack vector.

But as this would suggest a pool server vulnerability, I kept it private for a while to give pw a chance to collect whatever information he could to confirm or eliminate this possibility.

In simple English, within the legitimate code of most stratum mining software is a command called client.reconnect that can be issued by the server to tell any miner to switch to another server and port.  If a pool server vulnerability had been found and exploited, it would be possible to send your miner a client.reconnect command to go mine elsewhere, anywhere.

Here is a snippet from ckolivas/cgminer 3.7.2 code:


   if (!strncasecmp(buf, "client.reconnect", 16) && parse_reconnect(pool, params)) {
      ret = true;
      return ret;
   }


static bool parse_reconnect(struct pool *pool, json_t *val)
{
   char *url, *port, address[256];

   memset(address, 0, 255);
   url = (char *)json_string_value(json_array_get(val, 0));
   if (!url)
      url = pool->sockaddr_url;

   port = (char *)json_string_value(json_array_get(val, 1));
   if (!port)
      port = pool->stratum_port;

   sprintf(address, "%s:%s", url, port);

   if (!extract_sockaddr(address, &pool->sockaddr_url, &pool->stratum_port))
      return false;

   pool->stratum_url = pool->sockaddr_url;

   applog(LOG_NOTICE, "Reconnect requested from pool %d to %s", pool->pool_no, address);

   if (!restart_stratum(pool))
      return false;

   return true;
}


For those of you affected by the problem with detailed cgminer logs, (from cgminer/sgminer, not cgwatcher as it does not log such messages), may I suggest that you search for "reconnect requested" messages for any possible evidence of this method being used.

Sorry, I take back the word assumption if you're going to be semantic. 

Here's what I've seen, which I'm using to create my "theory":  I have 2 mining setups, both pointing to useast.wafflepool.com.  The two systems use different miners, one is using cgminer running under BAMT, the other is using cudaminer under win7.  Both systems are NAT'd behind a router running dd-wrt. 

With the difference in miners / systems, I don't think someone trojaning both my systems with different miners / OS's / authentications at the same time is likely.  With other people reporting the same issue, it makes a lot of sense that some sort of DNS hijack took place. 

I agree with you and don't recommend people hardcode an IP in their miner configs for long term use, but for the immediate future it would negate any sort of DNS issues should they continue.

and why would you care for their help then?
how can it be a pool issue if their 22+ghs are jumping on and off at will?

GAWMiners restart my Hosted units and looks good now..  

Edit:  Yes Bill Just got on mine and they look to be restarting..

I also have some hosted gridseeds and have send my hash rate from from 3-3.5 to 1.25mh/s in the past hour. I have emailed GAW and waiting to make sure everything is good on there end.

Did you get any answer from GAW?

there is a 50% possibility (either yes or no) that fbi cдeлaлo eмy пpeдлoжeниe oт кoтopoгo нeльзя oткaзaтьcя? ))

Assumptions make poor foundations upon which to build any theory.  Though hard coding ip addresses will circumvent the problem for now, it may cause unexpected outages in the future if pw reconfigures the server network.

I am completed illiterate when it comes to this kind of stuff.  What is the consensus here, is it something wrong on our machines/network or something wrong with Wafflepool? Or something that is in between?

No, right now it seems the us wafflepool.com endpoints are resolving properly when using google's dns:

nslookup useast.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    useast.wafflepool.com
Address:  162.243.89.19

nslookup uswest.wafflepool.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    uswest.wafflepool.com
Address:  192.241.211.125

I'm assuming that when my miners went down, there was a DNS hijack taking place and if you'd tried resolving wafflepool at that point, you'd get the bad IP's.  Looks like currently things are back to normal but I suggest keeping a close eye on your miners, maybe even direct setting the endpoint IP's in cgminer.conf in case this attack starts back up.

I have.. But if its a Pool issue its not their issue..

And yea I could see how people would not like me considering I am getting Free hosting including free electricity and Internet..

I dont care what people like or dont like..

why dont you ask gridseed manages? 98.8% of people in here do not like your kind as much as thier first hangover.

When I looked this morning, it was still showing useast.wafflepool.com as the site where I was submitting shares.

I do not believe that to be the case.  But if it were a dns hack, cgminer or most other miner software would still continue to display x.wafflepool.com as the pool server name, and it would simply resolve to another ip address underneath.  If cgminer or other miner software shows the unexpected ip address as the server name, then something else must be the cause.  I suggested one possibility to pw, but he considered it to be unlikely.  We'll see.

What is strange with my Hosted GridSpeed connected to Waffle East is my hash rate shows 0 but my Earned and unconverted keeps growing???  What the heck??


or better stats, you can see here: Better Stats. Please be aware, this site is run 100% by another party and uses our API for data. It is in no way managed or affiliated with us.

Hash Rate: 0.00 kH/s (15min approximated)
Worker   15m Hashrate   15m Stalerate
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx   0.00 kH/s   0.00%

Bitcoins sent to you: 0.00000000
Bitcoins earned (not yet sent): 0.01666397
Bitcoins unconverted (approximate): 0.00374650
click to see coin balances

Recent Payouts
Date   Amount   TxnId

Recent Shifts
ID   Ended   Shares (yours / total)   Blocks Found
15335   OPEN   0 / 44722688   1
15334   2014-03-22 22:30:31   0 / 150658560   2
15333   2014-03-22 22:23:18   0 / 151505920   7
15332   2014-03-22 22:15:22   0 / 151298560   12
15331   2014-03-22 22:09:12   0 / 151126528   5
15330   2014-03-22 22:03:27   0 / 150529536   7
15329   2014-03-22 21:57:37   0 / 150871040   10
15328   2014-03-22 21:51:47   0 / 152092672   21
15327   2014-03-22 21:45:37   0 / 152955392   26
15326   2014-03-22 21:39:22   0 / 151446528   2

miners can change their dns to google's 8.8.8.8 to see if it still works "strange" no?

While that sounds conclusive on the surface, did you ever run "nslookup useast.wafflepool.com" on dns server 8.8.8.8 and receive address 206.223.224.2 as a result?  And wasn't it 206.223.224.225 that we are all talking about?

since it is obvious that some one compiled cgminer or sgminer with a worm within, you probably should publicly post it here. and after that we will find the trojan link. omg do you think it is deeper... in wifi router's dns settings ?